b'                      UNITED STATES DEPARTMENT OF EDUCATION\n\n                                      OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                            September 21, 2005\n                                                                                             CONTROL NUMBER\n                                                                                            ED-OIG/A19F0003\n\nMichell C. Clark\nActing Chief Information Officer\nOffice of the Chief Information Officer\nU.S. Department of Education\n400 Maryland Avenue, SW\nWashington, DC 20202\n\nDear Mr. Clark:\n\nThis Final Audit Report (Control Number ED-OIG/A19F0003) presents the results of our audit\nof the Audit Followup Process for Office of Inspector General Internal Audits in the Office of the\nChief Information Officer. The objective of our audit was to verify whether adequate\ndocumentation was maintained to support that corrective action items have been implemented as\nstated in the Department of Education\xe2\x80\x99s (Department) corrective action plans (CAP). This audit\nis a part of a review of the Department\xe2\x80\x99s internal audit followup process being performed in four\nprincipal offices (POs). A summary report will be provided to the Department\xe2\x80\x99s Chief Financial\nOfficer upon completion of the audits in individual offices.\n\n\n                                           BACKGROUND\nOffice of Management and Budget (OMB) Circular A-50, entitled \xe2\x80\x9cAudit Followup,\xe2\x80\x9d provides\nthe requirements for establishing systems to assure prompt and proper resolution and\nimplementation of audit recommendations. The Department established a Post Audit User Guide\n(Guide) to provide policy and procedures for the audit followup process. Section I, \xe2\x80\x9cOverview,\xe2\x80\x9d\nof the Guide states,\n\n       The effectiveness of the post audit process depends upon taking appropriate,\n       timely action to resolve audit findings and their underlying causes, as well as\n       providing an effective system for audit close-out, record maintenance, and follow-\n       up on corrective actions.\n\n\n\n\n                           400 MARYLAND AVE., S.W. WASHINGTON, D.C. 20202-1510\n\n           Our mission is to ensure equal access to education and to promote educational excellence\n\x0cMr. Clark\t                                                                        Page 2 of 8\n\n\n\nWhile overall responsibility for the audit followup process is assigned to the Office of the Chief\nFinancial Officer (OCFO), Post Audit Group (PAG), each Assistant Secretary (or equivalent\noffice head) is responsible for ensuring that the overall audit followup process operates\nefficiently and consistently. The Guide defines further responsibilities of the Action Official\n(AO), generally the Assistant Secretary (or equivalent office head), to include:\n\n    \xe2\x80\xa2 \t Determining the action to be taken and the financial adjustments to be made in resolving\n        findings in audit reports concerning respective program areas of responsibility,\n    \xe2\x80\xa2 \t Maintaining formal, documented systems of cooperative audit resolution and follow-up\n        to ensure that audit recommendations are implemented, completion dates captured, and\n        appropriate documentation maintained to support completed corrective actions.\n\nThe Department tracks audit resolution and the completion of corrective action items through the\nAudit Accountability and Resolution Tracking System (AARTS). For each audit, AARTS stores\ndetailed information on audit resolution, proposed corrective action items, Office of Inspector\nGeneral (OIG) concurrence with these action items, responsible individuals, and completion and\nclosure data.\n\nWhen a PO has completed all corrective action items for an internal OIG audit, the PO certifies\nthis fact to PAG and requests closure of the audit in AARTS. PAG staff perform a review of the\ndocumentation in the audit resolution file maintained by the PO to determine whether\nimplementation of corrective action items is supported. Once PAG is satisfied that\nimplementation of the corrective action items reviewed is supported, the audit is closed in\nAARTS. PAG staff stated that until sometime in Fiscal Year 2004, only a sample of corrective\naction items was evaluated and that PO staff did not necessarily know that all corrective action\nitems were not reviewed. PAG staff stated that currently all corrective action items are evaluated\nin these reviews.\n\n\n                                     AUDIT RESULTS\nWe found improvements are needed in the Office of the Chief Information Officer\xe2\x80\x99s (OCIO)\ninternal control over its audit followup process. Our audit revealed that OCIO\xe2\x80\x99s audit followup\nprocess did not support the completion of all corrective action items, and audit resolution files\nwere not maintained for all audits included in this review. In addition, this process did not\nalways support completion of corrective action items by the date reported as completed in\nAARTS.\n\nOCIO audit resolution staff were aware of the Department\xe2\x80\x99s documentation requirements for\naudit resolution files, and stated the PO has implemented changes over the past two years to\nimprove their audit followup process. While we noted some improvements in the process,\nfurther improvements are needed. We found OCIO did not maintain separate audit resolution\nfiles for three of the five audits reviewed. In addition, we found documentation did not support\ncompletion of 17 of the 57 corrective action items included in our review. As a result, OCIO\ndoes not have assurance that corrective action items were implemented. In addition, reporting\n\n                                         ED-OIG/A19F0003\n\n\x0cMr. Clark\t                                                                                       Page 3 of 8\n\n\n\ncorrective action items as completed before the actions have actually been taken compromises\nthe integrity of the data included in AARTS, understates internal management reports and reports\nto Congress on corrective action items that have not yet been completed, and may negatively\nimpact the Department\xe2\x80\x99s credibility.\n\nIn its response to the draft audit report, OCIO concurred with the finding and provided corrective\nactions to address each of the recommendations included in our report. The complete text of\nOCIO\xe2\x80\x99s response is included as Attachment 2 to this report.\n\n\nFinding 1         OCIO Audit Followup Was Not Always Effective\nWe found OCIO\xe2\x80\x99s audit followup process was not always effective. While OCIO certified that\ncorrective action items were completed, we found they were unable to support completion of 17\nof the 57 corrective action items reviewed (30 percent). We were able to validate closure dates\nfor 36 of the 40 supported corrective actions through OCIO provided documentation.1 We found\nOCIO reported 17 of these 36 action items (47 percent) as completed in the Department\xe2\x80\x99s audit\ntracking system prior to dates reflected by supporting documentation.\n\nDocumentation Did Not Support Completion of Corrective Action Items\n\nOCIO audit resolution file documentation did not initially support completion of 32 of the 57\ncorrective action items reviewed (56 percent). In response to an OIG request, OCIO provided\nadditional documentation not originally included in the audit resolution files that supported\ncompletion of 15 additional corrective action items. Ultimately, OCIO could not provide\ndocumentation to support completion of 17 of the 57 corrective action items (30 percent).\nUnsupported action items noted during this audit included the following:\n\n    \xe2\x80\xa2 \t In one audit, the corrective action item stated an annual training program for the\n        Resource Officer, Records Liaison Officer (RLO), and Contracting Officer\n        Representatives (COR) would be developed.2 OCIO\xe2\x80\x99s audit resolution file included a\n        Records Management Pilot Evaluation Plan and Hummingbird PCDOCs and Cyber\n        DOCS Evaluation Report. In response to our request for additional documentation,\n        OCIO indicated the corrective action item had not been completed by stating, \xe2\x80\x9cThe\n        implementation of annual training programs for RLOs and CORs was postponed because\n        of One-ED.\xe2\x80\x9d\n\n    \xe2\x80\xa2 \t In another audit, the corrective action item stated that with the publication of the\n        modified directive, OCIO would publish calling card policies in ED Notebook and send\n\n\n\n1\n  In four cases, we could not validate closure dates because of limitations in the supporting documentation provided \n\nby OCIO. \n\n2\n  Audit Control Number (ACN) A11-A0011: \xe2\x80\x9cAudit of the Department\xe2\x80\x99s Records Management Program,\xe2\x80\x9d issued \n\nSeptember 27, 2001, Corrective Action Item 1.1.1. \n\n\n                                                ED-OIG/A19F0003\n\n\x0cMr. Clark                                                                                 Page 4 of 8\n\n\n\n        email notices to all employees.3 OCIO provided a printed page, initialed by the CIO,\n        stating an ED Notebook Announcement was sent to all Department employees on June\n        23, 2003. It continued to say the announcement was posted on the ConnectED ED\n        Notebook page. However, there were no copies of this announcement or the email\n        notices in the audit resolution file. In response to our request for additional information,\n        OCIO responded stating, \xe2\x80\x9cNo copy of the particular ED Notebook entry that announced\n        the publication of the directive is now available.\xe2\x80\x9d\n\nPAG issued Audit Closure Memos for four of the five audits included in this review. These four\naudits contained 42 of the 57 corrective action items we reviewed. We noted 20 of these 42\ncorrective action items were identified as reviewed by PAG prior to issuance of the Audit\nClosure Memos. We determined 12 of the 20 corrective action items reviewed by PAG were\nadequately supported by documentation provided by OCIO. The results of our analysis of the\neffectiveness of PAG\xe2\x80\x99s review process will be included in the audit followup summary report\nissued to the Chief Financial Officer upon completion of the audits in individual offices.\n\nDocumentation Did Not Support Reported Completion Dates\n\nFor the 36 corrective action items for which completion dates could be verified, OCIO reported\n17 corrective action items as completed in AARTS prior to dates reflected by supporting\ndocumentation (47 percent). These items were reported as completed from 1 day to 16 months\nbefore dates reflected on supporting documentation. Fourteen of the 17 actions were reported as\ncompleted two or more months before dates noted on supporting documentation (82 percent).\n\nFor example, OCIO provided us slides, dated June 17, 2003, from an online records management\ntraining course as supporting documentation for a corrective action item reported in AARTS as\ncompleted on April 19, 2002.4 We reviewed this documentation and determined it did not\nsupport the reported completion date in AARTS.\n\nRequirements for Audit Followup\n\nOMB Circular A-50, entitled \xe2\x80\x9cAudit Followup,\xe2\x80\x9d provides the requirements for establishing\nsystems to assure prompt and proper resolution and implementation of audit recommendations.\nThe Circular states\xe2\x80\x94\n\n        Audit followup is an integral part of good management, and is a shared\n        responsibility of agency management officials and auditors. Corrective action\n        taken by management on resolved findings and recommendations is essential to\n        improving the effectiveness and efficiency of Government operations. Each\n        agency shall establish systems to assure the prompt and proper resolution and\n        implementation of audit recommendations. These systems shall provide for a\n\n\n3\n  ACN A19-B0011: \xe2\x80\x9cAudit of Controls over Government Calling Cards,\xe2\x80\x9d issued October 24, 2002, Corrective \n\nAction Item 1.2.1. \n\n4\n  ACN A11-A0011, Corrective Action Item 1.1.3. \n\n\n                                             ED-OIG/A19F0003\n\n\x0cMr. Clark                                                                       Page 5 of 8\n\n\n\n        complete record of action taken on both monetary and non-monetary findings and\n        recommendations.\n\nThe Department\xe2\x80\x99s Post Audit User Guide, Section IV, \xe2\x80\x9cInternal Audits,\xe2\x80\x9d Chapter 1, \xe2\x80\x9cED Office\nof Inspector General (ED-OIG) Audit Reports and Alternative Products,\xe2\x80\x9d Part G, \xe2\x80\x9cCorrective\nActions,\xe2\x80\x9d states:\n\n        Each AO must maintain documentation to support implementation of each\n        corrective action in accordance with the Guidelines for Establishing File Folders\n        and Maintaining Documentation. The documentation must be specifically\n        identifiable to a corrective action to withstand any post audit closure review by\n        PAG/OCFO, ED-OIG, [Government Accountability Office] GAO and/or OMB.\n        All ED-OIG audit records must be retained by an AO for at least five years after\n        ED-OIG is notified that all corrective actions have been completed.\n\nThe Department\xe2\x80\x99s Guidelines for Establishing File Folders and Maintaining\nDocumentation states:\n\n        A file folder should be established for each audit report beginning with the draft\n        report. Each folder should contain . . .Documentation to support implementation\n        of corrective actions or specific notes that indicate where said documents are\n        located . . .Explanation of how such documentation supports the corrective action,\n        if not readily understood or evident.\n\nThe Guidelines for Establishing File Folders and Maintaining Documentation also provides\nexamples of supporting documentation to include memos of understanding, final regulations,\nDear Colleague Letters, records from databases, and policies and procedures.\n\nOCIO acknowledged that before the prior CIO took office in 2003, the PO was not adequately\nmaintaining documentation to support completion of corrective action items. OCIO\xe2\x80\x99s former\nAudit Liaison Officer did not require evidence to show that a corrective action had been\nimplemented. The only requirement was an email stating the corrective action item was\ncompleted.\n\nOCIO staff stated their internal audit followup process has improved and changes have been\nmade within the past two years. They stated their process is more centralized, allowing only one\nstaff member to close corrective action items in AARTS. In addition, OCIO staff stated\ncorrective action items are not reported as completed until the CIO and the Chief of Staff have\nreviewed the documentation to ensure it supports completion of the action item. OCIO also\nindicated that all supporting documentation is currently filed and tabbed in binders for each\naudit.\n\nWhile we acknowledge OCIO has implemented changes to their internal audit followup system,\nfurther improvements are needed. During our review, we noted the percentage of completion\ndates correctly reported in AARTS was better under OCIO\xe2\x80\x99s newly implemented process.\n\n                                        ED-OIG/A19F0003\n\n\x0cMr. Clark\t                                                                       Page 6 of 8\n\n\n\nHowever, the percentage of unsupported corrective action items did not improve with the applied\nchanges.\n\nWithout appropriate documentation, OCIO does not have assurance that identified deficiencies\nwere corrected. As such, the risk remains that related programs may not be effectively managed.\n\nBy reporting corrective action items as completed when they have not been, or in advance of the\nactual completion date, OCIO compromises the integrity of the data included in AARTS and\nmay negatively impact the Department\xe2\x80\x99s credibility. Management reports on corrective action\nitems due for completion may be understated. In addition, the Department\xe2\x80\x99s Semiannual Report\nto Congress on Audit Followup may also under report the audits for which corrective action\nitems have not been completed.\n\n\nRecommendations:\n\nWe recommend that the Acting Chief Information Officer:\n\n    1.1 \t    Ensure audit followup documentation clearly supports completion of the stated action\n             item as it is worded in the CAP.\n\n    1.2 \t    Ensure completion dates reported in AARTS are consistent with dates reflected in\n             supporting documentation.\n\n    1.3 \t    Update AARTS to reflect the actual completion dates for the action items noted in the\n             audit with discrepancies in the reported completion dates.\n\n\nOCIO Response:\n\nIn its response to the draft audit report, OCIO concurred with the finding and provided corrective\nactions to address each of the recommendations included in our report. OCIO stated all post\naudit documentation is maintained centrally within individual audit notebooks. In addition, a\ntemplate for the OCIO audit notebook cover sheet has been developed to standardize quality post\naudit documentation. Corrective actions will not be marked as complete until the CIO has\napproved the supporting documentation. This will provide independent verification and\nvalidation that the corrective action has been completed and the completed dates entered into\nAARTS are supported by documentation. OCIO also indicated it would work with PAG to\nupdate the completion dates for the actions listed in the table in Attachment B of its response,\nhowever, OCIO noted it believed it had documentation supporting the existing completion date\nfor one of the actions cited.\n\n\n\n\n                                         ED-OIG/A19F0003\n\n\x0cMr. Clark                                                                       Page 7 of 8\n\n\n\nOIG Comments:\n\nWhen OCIO submitted its draft report response to OIG, it asked for insight on what other\ndocumentation should be used to support the closure of the action item noted above. OIG\nresponded and OCIO subsequently concurred with the information provided, stating it would\nwork with PAG to update the completion date for this action item as well.\n\n\n                  OBJECTIVE, SCOPE, AND METHODOLOGY\nThe objective of our audit was to verify whether adequate documentation was maintained to\nsupport that corrective action items have been implemented as stated in the Department\xe2\x80\x99s CAPs.\n\nTo accomplish our objective, we performed a review of internal control applicable to OCIO\xe2\x80\x99s\naudit followup process. We reviewed applicable laws and regulations, and Department policies\nand procedures. We conducted interviews with OCFO/PAG staff regarding Department policy\nand procedures, and AARTS operation. We conducted interviews with OCIO staff responsible\nfor resolving and following up on corrective action items for the audits selected. We also\nreviewed documentation provided by OCIO staff to support completion of corrective action\nitems for the recommendations included in our review.\n\nThe scope of our audit was limited to corrective action items developed in response to internal\nOIG audits of OCIO processes and programs. Our scope included only those corrective action\nitems reported as \xe2\x80\x9ccompleted\xe2\x80\x9d in AARTS during the period July 1, 2002, through September 30,\n2004. We excluded from our review corrective action items for recurring audits, such as annual\nfinancial statement audits, information security audits, or those with prior or planned followup\naudits, so as not to duplicate audit effort. Overall, we selected a total of 57 corrective action\nitems from 5 OCIO related audits. The selected audits and corrective action items reviewed are\nlisted in Attachment 1 to this report.\n\nWe relied on computer-processed data initially obtained from AARTS to identify action items\napplicable to the scope period. An alternative data source is not available to directly test the\ncompleteness of the corrective action items as reported in AARTS. However, we tested the\naccuracy of AARTS data by comparing AARTS data to supporting documentation. We also\nconducted a limited review of AARTS data controls and relied on feedback from resolution staff\nto gain additional assurance relating to the completeness and accuracy of AARTS data. Based on\nthese tests and assessments, we determined that the computer-processed data was sufficiently\nreliable for the purpose of our audit.\n\nOur review was based on the corrective action items defined by OCIO in its CAPs and agreed\nupon by OIG in the audit resolution process. We reviewed and analyzed documentation in\nOCIO\xe2\x80\x99s audit resolution files to determine whether completion of each selected corrective action\nitem was supported. In cases where documentation in the file did not support completion of the\naction item, we provided OCIO with an opportunity to provide additional documentation from\nother sources. We reviewed any additional documentation subsequently provided to make a final\n\n                                        ED-OIG/A19F0003\n\n\x0cMr. Clark\t                                                                       Page 8 of 8\n\n\n\ndetermination as to whether completion of the corrective action items was then supported. In\naddition, we verified the reported completion dates in AARTS against the supporting\ndocumentation provided, where possible, for those corrective action items that were supported.\n\nWe conducted fieldwork at OCIO offices in Washington, DC, during the period December 2004\nthrough July 2005. We held an exit conference with OCIO staff on July 18, 2005. Our audit was\nperformed in accordance with generally accepted government auditing standards appropriate to\nthe scope of the review described above.\n\n\n                            ADMINISTRATIVE MATTERS\nCorrective actions proposed (resolution phase) and implemented (closure phase) by your office\nwill be monitored and tracked through the Department\xe2\x80\x99s Audit Accountability and Resolution\nTracking System. Department policy requires that you develop a final CAP for our review in the\nautomated system within 30 days of the issuance of this report. The CAP should set forth the\nspecific action items, and targeted completion dates, necessary to implement final corrective\nactions on the finding and recommendations contained in this final audit report.\n\nIn accordance with the Inspector General Act of 1978, as amended, the Office of Inspector\nGeneral is required to report to Congress twice a year on the audits that remain unresolved after\nsix months from the date of issuance.\n\nStatements that managerial practices need improvements, as well as other conclusions and\nrecommendations in this report, represent the opinions of the Office of Inspector General.\nDeterminations of corrective action to be taken will be made by the appropriate Department of\nEducation officials.\n\nIn accordance with the Freedom of Information Act (5 U.S.C. \xc2\xa7552), reports issued by the Office\nof Inspector General are available to members of the press and general public to the extent\ninformation contained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation provided to us during this review. Should you have any questions\nconcerning this report, please call Michele Weaver-Dugan at (202) 245-6941.\n\n                                             Sincerely, \n\n\n\n                                             Helen Lew /s/        \n\n                                             Assistant Inspector General for Audit Services \n\n\n\ncc: \t   Nina Aten, Audit Liaison Officer, OCIO\n        Charles Miller, Supervisor, PAG/OCFO\n\n\n                                        ED-OIG/A19F0003\n\n\x0c          ATTACHMENT 1 \xe2\x80\x93 Audits and Corrective Action Items Reviewed\n\nNumber Audit          Title            Issue     Corrective     Unsupported Unsupported\n      Control                          Date     Action Items    Action Items Completion\n      Number                                     Reviewed                        Dates\n  1    A11- Audit of the              9/27/01   1.1.1, 1.1.2,    1.1.1, 2.5.2 1.1.3, 1.2.1,\n       A0011 Department\xe2\x80\x99s Records               1.1.3, 1.1.4,                 2.2.1, 2.2.2,\n              Management Program                1.2.1, 1.2.2,                     2.3.1\n                                                1.2.3, 2.1.1,\n                                                2.2.1, 2.2.2,\n                                                2.3.1, 2.4.1,\n                                                 2.5.1, 2.5.2\n   2    A11- Phase II Audit of the    3/28/03   1.1.1, 1.1.2,   1.5.2, 1.6.3     1.3.2, 1.4.2,\n        D0001 Department\xe2\x80\x99s Critical             1.2.1, 1.2.2,                        1.5.1\n              Infrastructure                    1.3.1, 1.3.2,\n              Protection Program                1.4.1, 1.4.2,\n                                                1.5.1, 1.5.2,\n                                                1.6.1, 1.6.2,\n                                                1.6.3, 1.6.4,\n                                                    1.7.2\n   3    A11- Implementation of the 9/30/02      1.1.1, 1.1.2,    1.2.1, 1.2.2,   1.2.3, 1.2.4\n        C0009 Government Paperwork              1.2.1, 1.2.2,    1.2.5, 1.2.6\n              Elimination Act                   1.2.3, 1.2.4,\n                                                 1.2.5, 1.2.6\n   4    A19- Audit of Controls over 10/24/02    1.1.1, 1.2.1,    1.2.1, 1.4.1,   1.2.2, 1.3.1,\n        B0011 Government Calling                1.2.2, 1.3.1,    2.4.1, 3.2.1    2.1.1, 2.2.1,\n              Cards                             1.4.1, 1.5.1,                    2.3.1, 3.1.1\n                                                2.1.1, 2.2.1,\n                                                2.3.1, 2.4.1,\n                                                2.5.1, 3.1.1,\n                                                    3.2.1\n   5    A07- Audit of Capital         9/12/03   1.1.1, 1.2.1,    1.2.1, 2.1.1,      1.1.1\n        C0033 Planning and                      2.1.1, 2.2.1,    2.2.1, 2.3.1,\n              Investment                        2.3.1, 2.4.1,        2.4.1\n              Management                            3.1.1\nTOTAL                                                 57              17              17\n\x0c                                                                                                                         Attachment 2\n\n\n                                 UNITED STATES DEPARTMENT OF EDUCATION\n\n                                                          OPPICE OP MANAGEMENT\n\n                                                                                                                        ASS ISTANT SE;CRETARY\n\n\n                                                        September 7, 2005\n\n\nTO: \t          Helen Lew\n               Assistant In spector General for Audit\n               Office of Inspector General\n\nFROM: \t        Michell C. Clark\n               Acting Assistant Secre\xc2\xbb.rrror-j<;Jant<getflent and C hi ef lnfonn ation Officer\n\nSUBJECT: \t     DRAFT AUDIT REPORT: Audit Followup Process for Office ofInspector\n               General Intemal Audits in the Office of the Chieflnfomlation Officer, Control\n               Number ED-OIGIAI9F0003\n\n\nThank you for your draft audit report, Audit FollolVup Process for Office 0/ Inspector General\nInternal Audits in the Office o/the e llie/In/ormation Officer, ED-OIG/A19-F0003 dated August\n9,2005. The Office o f tb e Chief lnformation Officer (OCrO) concurs with the sin gle findin g,\nspeci fically:\n\n            Finding # 1- OCIO Audit Followup Was Not Always Effective\n\nThe following is Ollr proposed correcti ve action to add ress the three recom mendations yo ur\noffice has pro vided related to the above finding.\n\nRecommendation 1.1 Ensure audit followup documentation clearly supports compl etion of the\nstated action item as it is worded in the CAP.\nProposed Corrective Action: All post audit documentati o n for OCI0 audits is maintained\ncentrall y within indi vid ual audit notebooks. A template for the OCIO audit notebook cover sheet\nhas been developed to standardi ze quality post audit documentation. This cover sheet is now\nmai ntained at the front of all audit no tebooks. A space is provided to cheek off each\nrequirement, as we ll as record the initials oftbe staff perso n validating that the requirement has\nbeen met. The templ ate stipul ates in point 2e that all CAP actions speci fi ca ll y identify req uired\ndoc umentati on or ev idence to support marking the CAP as comp leted in AARTS. The template\nincludes an addi ti onal checkpoint for tbi s action in poi nt nine. This template is included in\nAttachment A. The ocro Audit Official Liaison wi ll not mark any corrective acti on as\ncompl ete until the Chief In formati o n Officer has approved th e submitted supporting\ndocumentation. This will provide ind epend ent verifi cation and va lidat ion that the corrective\naction has been compl eted. A copy of the temp late will be kept in the audit noteboo k.\nCo mpleted: September 7, 2005\n\n\n\n\n                                              400 M AR YLAN D AV E. , S. W ., WASHINGT ON , DC. 20202 -4500\n                                                                         wv.\'Vo\'   cd .go\\\'\n\n               Ou r I1USSW rl   IS 10   ensure equal access   [0 edUCQHOII   and 10 promote edu.catlonal excellence throughout cite   Natioll.\n\x0cResponse to Draft Audit Report ED-OlG/A19F0003                                           Page 2\n\n\nRecommendation 1.2 Ensure completion dates reported in AARTS are consistent with dates \n\nreflected in supporting documentation. \n\nProposed Corrective Action: The audit notebook cover template referenced in corrective \n\naction 1/1 /1 stipulates that all completed dates reported in AARTS are substantiated by the \n\ndocumentation cited in the CAP. Please see point 9 of the template in Attachment A. The ocro         \n\nAudit Official Liaison will ensure that the completed dates for all corrective actions match the \n\ndates of the submitted supporting documentation, as approved by the Chief Information Officer. \n\nThis will provide independent veri fication and validation that the completed dates entered into \n\nAARTS are supported by documentation. A copy of the template will be kept in the audit \n\nnotebook. \n\nCompleted: September 7,2005 \n\n\nRecommendation 1.3 Update AARTS to reflect the actual completion dates for the action items \n\nnoted in the audit with discrepancies in the reported completion dates. \n\nProposed Corrective Action: ocro will work with Post Audit Group to update the completion \n\ndates for the actions listed in the table in Attac1mlent B. A copy of this table, as well as the \n\nupdated CAPS from AARTS for each of the referenced audits, will be kept in the audit notebook. \n\n\nPlease note that ocro believes it has documentation to support the existing completion date of \n\n3/1 3/04 for CAP 07-C0033 / 1111l. \n\n\nProposed Completion Date: September 30, 2005. \n\n\nIf you have any questions, please contact Nina Aten on my staff at 401-5846. \n\n\nATT ACHMENTS \n\n\x0c                      ATTACHMENT A - OCI0 Audit Notebook Cover Template\n\n\nAUDIT CONTROL # (ACN): \n\nAUDIT: \n\n\nISSUE DATE: \n\n\nDATE CLOSED: \n\n\nARcmVE RETENTIION DATE (5 years following official closure) :\n\n\n                                                                                     Initials of\n                       Audit Notebook Content Checklist                      Checked Validator\n1. \t OIG Draft Audit Report\n2. \t OM or OCIO Response to Draft Audit Report\n         a. \t Contact Name provided for each corrective action\n         b. \t Proposed Completion Date for each corrective action\n         c. \t Clear description of corrective action, including\n              identification of supporting documentation that will\n              provide evidence of corrective action completion is\n              included in draft response. EXAMPLE: "This action will be\n              completed when the ACS directive is signed. A copy of the\n              signed ACS directive will be maintained in the Audit\n              notebook ." OR: This action will be completed when the\n              working group holds its first meeting. A copy of the meeting\n              invitation and the agenda will be maintained in the audit\n              notebook ."\n3. \t Final Audit Report\n4. \t First Corrective Action Plan submitted to OIG via AARTS\n5. \t OfG-s response to first Corrective Action Plan (see Reports menu in \n\n     AARTS) \n\n6. \t Audit Clearance Document (ACD)\n7. \t TABS for each corrective action\n8. \t Documentation supporting completion of each action as specifically \n\n     identified in Corrective Action Plan \n\n9. \t Completion Dates match dates of included supporting documentation\n 10. Final Corrective Action Plan\n 11. Comprehensive OIG Response (see Reports menu in AARTS)\n 12. Post Audit Group Response (see Reports menu in AARTS)\n 13. Request for Closure/Certification Memorandum\n 14. Closure Memo from Post Audit Group\n\n\n\nOM/DC IO Audit Notebook Cover Template \t                                           v   1.0917105\n\x0cResponse to Draft Audit Report ED-OIG/A 19F0003 Attachment B                               Page 1\n\n\n            ATTACHMENT B - TABLE OF CORRECTED COMPLETION DATES\n\n                   Corrective Actions That Need Updated Completion Dates \n\n                                            Current \n\n                                                      Proposed        Documentation\n     Audit                                    Date\n                            Action                    Corrective   Supporting Proposed\n                                            Listed in\n                                                        Date                  Date\n                                            AARTS\n                    1.1.3 Develop prototype                      A copy of the CD containing\n                    computer based records                                 the computer based training.\n                                                 4/19/02        6/3/03\n                    management training                                    The CD files are all dated\n                    module.                                                6/3/03 .\n                    1.2.1 Publish \n\n                    Department of Education \n\n                                                                           Copy of ACS Directive\n                    policies for records\n                    management. Include the\n                                                                           ocro: I-I 03 on Departmental\n                                                 4/19/02       12116/02    Records and Information\n                    requirement that each\n                                                                           Management Program dated\n                    Principal Office develop\n                                                                           12116/02\n                    office-specific policies \n\n                    and procedures. \n\n                    2.2.1 Develop a records \n\n                    management inventory \n\nAI1-AOO11           system that enables\n                    Principal Offices to                                   Copy of Training Slides and\nAudit of the\n                    identify electronic and                                Workshops schedule indicating\nDepartment\'s        paper format records they    5/2/03         6/3/03     first class to be held on 6/3/03\nRecord              create and maintain.                                   in the 1G conference room in\nManagement          Require Principal Offices                              MES.\nProgram             to use the records\n                    management inventory\n                    system.\n                    2.2.2 OCIO provide \n\n                    technical assistance to \n\n                                                                           Copy of the Department\'s\n                    Principal Offices in\n                                                                           submission to NARA that\n                    updating Records             5/2/03        11126/0 3\n                                                                           contains the results of their\n                    Retention and Disposition\n                                                                           technical assistance.\n                    Schedules in the records\n                    management invento!y.\n                                                                           Copy of the Department\'s\n                    2.3.1 Provide technical\n                                                                           submission to NARA,\n                    assistance to Principal\n                                                                           including unscheduled\n                    Offices in determining       5/2/03        11126/03\n                                                                           dispositions, contains the\n                    which federal records are\n                                                                           results of their technical\n                    unscheduled.\n                                                                           assistance.\n\x0c.\'\n\n     Response to Draft Audit Report ED-OIG/AI9F0003                                               Page 2\n\n\n                        Corrective Actions That Need Updated Completion Dates \n\n                                                   Current \n\n                                                             Proposed     Documentation\n          Audit                                      Date\n                                 Action                      Corrective Supporting Proposed\n                                                   Listed in\n                                                               Date             Date\n                                                   AARTS\n                         1.3.2 Establish a regular\n                         meeting of CIP and\n                         COOP program leaders to\n                         specificaUyaddress\n                         coordination. This                                 Copy of Security Coordination\n                         meeting will supplement        7/24/03   5115/03   Commi ttee Meeting Agenda\n                         the coordination efforts of                        dated 5/ \\ 5/03\n                         the monthly Security\n                         Coordination Committee\n                         tbat addresses aU areas of\n                         security.\n     AII-DOOOI           1.4.2 Establish a regular\n     Phase IT Audit      meeting of CIP and\n     of the              COOP program leaders to\n     Department\'s        specifically address                               Printout of the fina l POA&M\n                         coordination. This                                 action for Mission Critical\n     Critical\n                         meeting will supplement        7/24/03   1115/04   Sys tems that was entered into\n     lnfrastructure      the coordination efforts of                        the PIP Portal on 11 15104 \xc2\xad\n     Protection          the monthly Security                               FSA-DLCS-4\n     Program             Coordination Committee\n                         tilat addresses all areas of\n                         security.\n                         1.5.1 Make security\n                         requirements and costs for\n                         MEl assets and for\n                         agency-wide CIP\n                                                                            Copy of the lA Bus iness Case\n                         activities (contained in the   1012/03   10/3/03\n                                                                            dated 10/3/03\n                         Information Assurance\n                         business case) explicit in\n                         IT business cases and IRB\n                         presentations.\n                         1.2.3 Coordinate with\n                         OneED to analyze                                   Copy of GPEA Strategy posted\n                         business processes for the                         on ED.gov (under\n                         Department\'s major lines                           policy/genlleg/gpea/index.html)\n                         of business. Identify                              and a copy of the properties for\n                         additional opportunities to\n                                                        2/26/03   5/6/03\n                                                                            tlus posted document showing\n     All-COOO9\n                         provide electronic                                 that it was created on ED.gov\n     lnlplementation     alternatives to current                            on 5/6/03.\n     oflhe               business transactions, as\n     Government          appropriate.\n     Paperwork           1.2.4 Coordinate with                              Copy of GPEA Strategy posted\n     Elimination Act     PBDMI to identify                                  on ED.gov (u nder\n                         additional opportunities to                        policy/gen/leg/gpea/index. html)\n                         consolidate data                                   and a copy of the properties for\n                                                        2126/03   5/6/03\n                         collections and to provide                         tius posted document showing\n                         electronic altematjves to                          that it was created on ED.gov\n                         current business                                   on 5/6/03.\n                         transactions.\n\x0c.\'\n\n     Response to Draft Audit Report ED-OlGt A 19F0003                                           Page 3\n\n\n                         Corrective Actions That Need Updated Completion Dates\n                                                  Current\n                                                            Proposed       Documentation\n                                                    Date\n           Audit                 Action                     Corrective  Supporting Proposed\n                                                  Listed in\n                                                              Date             Date\n                                                  AARTS\n                          1.2.2 Concurrently with\n                          publication of the\n                          modified ACS Directive                            Copy of ACS Directive\n                          publish the calling card      6/23/03    3/9/04   OCIO:2-1 02 Wireless\n                          policies in ED Notebook                           Telecommunications Services\n                          and send email notices to\n                          all emplovees.\n                          1.3.1 Update the calling\n                          card foml and automate it\n                          through the                                       Copy of ACS Directive\n                          Telecommunications                                OCIO:2-102 Wireless\n                          Automated Tracking\n                                                        6/12/03    3/9/04   Telecommunications Services \xc2\xad\n                          System (TATS),\n                                                                            the foml is included in\n                          Customer Service Request\n                                                                            Attachment A of the Directive\n                          Module (CSRM). Add a\n                          section for supervisory\n                          approval.\n                          2.1.1 Employees with\n                          calling cards and those\n                          ordering new calling cards                        Copy of ACS Directive\n                          will be required to sign an                       OCIO:2- 102 Wireless\n     A19-BOOll            Employee Certification of\n     Audit of                                           6/ 12/03   3/9/04   Telecommunications Services \xc2\xad\n                          Responsibi lities fOfDL Tbe                       the form is included in\n     Controls over         form will re Ference                             Attachment A of the Directive\n     Govemment            discipijnary actions for\n     Calling Cards        unauthorized use of\n                          government property.\n                          2.2.1 Include the\n                          prohibition ou sharing\n                          calling cards and guidance\n                          that each employee or                             Copy of ACS Directive\n                          contra.ctor in need of a\n                                                        6/ 12/03   3/9/04   OCIO:2-102 Wireless\n                          calling card should apply                         Telecommunications Services\n                          for one. and not use\n                          another~s card, in the\n                          updated Wireless Services\n                          Directive.\n                          2.3.1 Include guidance\n                          that emplo yees use tbeir\n                          calling cards for\n                          autllOrized personnel calls                       Copy of ACS Directive\n                          while on travel, ratber\n                                                        6112/03    3/9/04   OCIO:2-102 Wireless\n                          tllan claiming the                                Telecommunications Services\n                          expenses on their travel\n                          vouchers, in the updated\n                          Wireless Services\n                          Directive.\n\x0c\xc2\xb7 .\'\n       Response to Draft Audit Report ED -O lG/A I 9F0003                                             Page 4\n\n\n                           Corrective Actions That Need Updated Completion Dates \n\n                                                       Current \n\n                                                                 Proposed     Documentation\n                                                         Date\n             Audit                 Action                        Corrective Supporting Proposed\n                                                       Listed in\n                                                                   Date            Date\n                                                       AARTS\n                            3.1.1 An\'ange for timely \n\n                             notification of employee\n\n       AI9-BOOll             status change, through\n       Audit of              transfer or departure from                          Copy of ACS Directive\n       Controls over         the Department. Use the         6/12/03   3/9/04    OCIO:2-102 Wire less\n       Government            informa tion to cancel \n                            Telecommunications Services\n       Calling Cards         accounts or reallocate \n\n                             them to the appropriate \n\n                             Principal Office. \n\n       A07-C0033             1.1.1 Develop and use in\n       Audit of Capital      tile FY 2004 Select Phase, \n\n       Planning and          a set of written procedures \n\n                             that formalizes the                                 Copy of two emails dated\n       Investment            Department\'s review                                 3/31 /04 (one for FSA and one\n       Management            process for IT investment       3/31/04   3/31/04   for non-FSA) distributing select\n                             co mpliance with the                                phase instTuctions, including\n                             Enterprise Architecture.                            EA review and responsibilities.\n                             The written procedures\n                             will delineate review\n                             responsibilities.\n\x0c'